Analysis
-
max time kernel
152s -
max time network
188s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18-05-2021 10:09
Static task
static1
Behavioral task
behavioral1
Sample
0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll
Resource
win10v20210410
General
-
Target
0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll
-
Size
5.0MB
-
MD5
d97b7a813774ee9af6db3775421617ce
-
SHA1
b4d43253fae1ef62564d86f40f973dc0c5a3bad2
-
SHA256
0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64
-
SHA512
41b47db3c74d6e27e7f006fbbd8d2da4cd438eba213dea693c9700e4c5bf5337229a88b7c662b196e401c6768bceb32c825880070b244caf81e330c2cf529fff
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 344 mssecsvc.exe 1500 mssecsvc.exe 1548 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1212 1660 rundll32.exe rundll32.exe PID 1212 wrote to memory of 344 1212 rundll32.exe mssecsvc.exe PID 1212 wrote to memory of 344 1212 rundll32.exe mssecsvc.exe PID 1212 wrote to memory of 344 1212 rundll32.exe mssecsvc.exe PID 1212 wrote to memory of 344 1212 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e59b3f4dc609f0ecc54ac9470086b6b75df549586fff0cd9423c30d19d6ea64.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
3dc9f5d4ffa955356c9900be04a738c6
SHA1b7667de0206c30782d9ac2cfc0840f020c0c159f
SHA25683ba8ba05dabf9080b9efbdf7101a39ccdb47023d7a7aa81303d36b66fffe4f2
SHA5122f41f65186be9cb87350deca362843170617c8a46bc0074902cfc176c18150e85fead947164ae181f6757fd6b405004b3792135d674794c5803d9ed787085341
-
C:\Windows\mssecsvc.exeMD5
3dc9f5d4ffa955356c9900be04a738c6
SHA1b7667de0206c30782d9ac2cfc0840f020c0c159f
SHA25683ba8ba05dabf9080b9efbdf7101a39ccdb47023d7a7aa81303d36b66fffe4f2
SHA5122f41f65186be9cb87350deca362843170617c8a46bc0074902cfc176c18150e85fead947164ae181f6757fd6b405004b3792135d674794c5803d9ed787085341
-
C:\Windows\mssecsvc.exeMD5
3dc9f5d4ffa955356c9900be04a738c6
SHA1b7667de0206c30782d9ac2cfc0840f020c0c159f
SHA25683ba8ba05dabf9080b9efbdf7101a39ccdb47023d7a7aa81303d36b66fffe4f2
SHA5122f41f65186be9cb87350deca362843170617c8a46bc0074902cfc176c18150e85fead947164ae181f6757fd6b405004b3792135d674794c5803d9ed787085341
-
C:\Windows\tasksche.exeMD5
ff4e3b19f6b2c58837ec62e97834b422
SHA14508fd9909f6bee22abde660c94f1a869749aaf9
SHA2564141794ed3928905ce959c30b2c5cc84ee6bebf3a81fc4c7c2624348786776be
SHA51286c3d9e731bf51edee3275c99ca05df3b6b2fc8350644804303a265c3c82feb6c9ffe061706a15afc626196b7d3fdca427ac43be8532eddbd7d42a9edf943d1f
-
memory/344-62-0x0000000000000000-mapping.dmp
-
memory/1212-60-0x0000000000000000-mapping.dmp
-
memory/1212-61-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB